Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ahmed Baig, CISO at Abu Dhabi Government Entity - Establishing effective risk management framework for compliance


Published on

Ahmed Baig, CISO at Abu Dhabi Government Entity spoke at the CIO Middle East Event April 2013

Published in: Technology, Economy & Finance
  • Hello there! Get Your Professional Job-Winning Resume Here!
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Ahmed Baig, CISO at Abu Dhabi Government Entity - Establishing effective risk management framework for compliance

  1. 1. Ahmed Qurram BaigInformation Security & GRC ExpertESTABLISHING EFFECTIVE RISK MANAGEMENTFRAMEWORK FOR COMPLIANCEStrategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. - Sun Tzu
  2. 2. AGENDA• Challenges & benefits of information securitygovernance• Characteristics of an effective information securitygovernance program• Discussing industry’s best practices and steps in theinformation security program lifecycleAhmed Qurram Baig, Copyright, 2013.
  3. 3. CHALLENGES TO RISK MANAGEMENT & GOVERNANCE• Balancing extensive requirements originating frommultiple governing bodies.• Balancing legislation and company specific policy.• Evolution to support different requirements and newlegislation.• Prioritizing available funding according to requirementsintroduced.Ahmed Qurram Baig, Copyright, 2012.
  4. 4. BENEFITS OF RISK MANAGEMENT & GOVERNANCE• Strategic Alignment• Risk Management• Convergence & Business Process Assurance• Resources Management:• Governance provides clarity of roles and responsibilities• Governance empower people responsible with authority• Monitoring & Performance Measurement• Value DeliveryAhmed Qurram Baig, Copyright, 2012.
  5. 5. INFORMATION SECURITY, RISK & GOVERNANCE FRAMEWORKStrategicPlanningBusinessStrategyRisk Management / InformationSecurity StrategyOrganizationStructureRoles andResponsibilitiesEnterprise SecurityArchitectureImplementationPolicies and Standards GuidanceSenior ManagementSteering Committee &Executive ManagementERM / CISO / Steering Committee or Information Security ForumMonitoring&ReportingRiskAssessmentBusinessImpactAnalysisBusiness &RegulatoryRequirementAhmed Qurram Baig, Copyright, 2012.
  6. 6. STEPS : INFORMATION SECURITY FOR RISK MANAGEMENT, GOVERNANCE &COMPLIANCEAhmed Qurram Baig, Copyright, 2012.Define and enumerate the desired outcomesAssess current security and required stateDescribe the attributes and characteristics of current and desired statePerform a gap analysis to identify prerequisites to reach the desired stateDetermine available resources and constraintsDevelop a roadmap to address gaps using available resources and constraintsDevelop control objectives and controls supporting strategy
  7. 7. ENTERPRISE SECURITY ARCHITECTURE & RISK MANAGEMENTBusiness ArchitectureBusiness & Services Information SystemsEmployees & ThirdParty StaffLocations & FacilitiesDataApplicationHostNetworkRoles and ResponsibilitiesAuthority MatrixRecruitment ProcessDisciplinary ProcessAccess ManagementSecurity AwarenessGoals and ObjectivesKPI & KRI (Key RiskIndicators)Regulations &CompliancePhysical SecurityA s s u r a n c eTechnology SecurityAhmed Qurram Baig, Copyright, 2012.Policies andStandardsRisk Management Security Architecture
  8. 8. INFORMATION SECURITY & RISK MANAGEMENT ACTIVITIESGovernance and Strategic Security• Security Program Management• Policies/Procedures Creation and Review• Enterprise Security Architecture• Audit & Compliance ReadinessOperational Security• Security Operations• Incident & Breach response• Penetration Testing• Vulnerability Scanning / (Management)• Software and Application SecurityRisk Management• Independent Assessments• Continuous Monitoring & ReportingAhmed Qurram Baig, Copyright, 2012.SecurityAwareness&EducationPeople Process Technology Partners
  9. 9. THANK YOU.Q & A